What we've been watching.

• Critical11 May 2026

  70 packages tracked

  TanStack + @uipath mini-Shai-Hulud compromise

  Between 19:20–19:26 UTC on 2026-05-11, an attacker pushed 84 malicious versions across 42 @tanstack/* packages by chaining `pull_request_target`, GitHub Actions cache poisoning, and runtime memory extraction of an OIDC token from the runner. Same credential-stealing worm payload as the April SAP campaign; also hit @uipath, @mistralai, and others.

  npmPyPI

  npm-2026-05-shai-hulud-tanstackSource advisory
• High1 May 2026

  16 packages tracked

  BufferZoneCorp sleeper attack on RubyGems + Go modules

  Socket disclosed a coordinated sleeper-package campaign attributed to the GitHub org `BufferZoneCorp` (and RubyGems user `knot-theory`). Initially-clean Ruby gems and Go modules were updated to malicious versions. The Ruby side harvests env vars, SSH keys, AWS secrets, .npmrc, .netrc, GitHub CLI config, and RubyGems credentials; the Go side tampers with GitHub Actions workflows, injects fake executables, and adds SSH persistence via authorized_keys. First confirmed 2026 RubyGems + Go module supply-chain campaign.

  GoRubyGems

  multi-2026-05-01-bufferzonecorp-rubygems-goSource advisory
• Critical30 Apr 2026

  3 packages tracked

  PyTorch Lightning + intercom-client + intercom-php coordinated push

  Mini Shai-Hulud wave 2: coordinated April 30 release of `lightning` 2.6.2/2.6.3 (PyPI), `intercom-client` 7.0.4/7.0.5 (npm), and `intercom/intercom-php` 5.0.2 (Packagist) carrying the same Bun-based credential stealer used in the SAP/@cap-js wave. ~11.7MB `router_runtime.js` fires preinstall on npm; a `.pth` file fires at every Python import on PyPI. Worm propagation via stolen GitHub PATs labelled "OhNoWhatsGoingOnWithGitHub:".

  npmPackagistPyPI

  multi-2026-04-30-mini-shai-hulud-wave2Source advisory
• High29 Apr 2026

  9 packages tracked

  DPRK "PromptMink" campaign uses AI agents to insert @validate-sdk/v2 dependency

  ReversingLabs traced a DPRK Famous Chollima / UNC1069 campaign that began with `@hash-validator/v2` in Sept 2025 and evolved through Feb 28, 2026 to insert `@validate-sdk/v2` as the malicious dependency of benign-looking "bait" SDKs aimed at AI coding agents. One AI-authored commit pulled `@solana-launchpad/sdk` into a crypto trading repo. Phase 4 in March 2026 used Rust NAPI modules and 85MB Node SEA bundles to exfiltrate full source trees. 300+ malicious package versions across 60+ unique packages observed.

  npmPyPI

  multi-2026-04-29-promptmink-validate-sdkSource advisory
• Critical29 Apr 2026

  4 packages tracked

  SAP / @cap-js mini-Shai-Hulud campaign

  Mini-Shai-Hulud-style attack against SAP-related npm packages on 2026-04-29 09:55–12:14 UTC. Preinstall `setup.mjs` downloads the Bun runtime, runs an obfuscated `execution.js` that exfils GitHub/npm tokens, AWS/Azure/GCP secrets, Kubernetes tokens, and browser passwords via the GitHub GraphQL API. Includes a Russian-locale guardrail and persistence via .claude/ and .vscode/ poisoning.

  npm

  npm-2026-04-sap-cap-jsSource advisory
• Critical24 Apr 2026

  2 packages tracked

  elementary-data PyPI package backdoored via GitHub Actions injection

  An attacker (account `realtungtungtungsahur`) exploited a script-injection flaw in the `elementary-data` release workflow via PR comment, then used the workflow token to forge release commit b1e4b1f3 and trigger the legitimate publishing pipeline. PyPI `elementary-data` 0.23.3 and ghcr.io/elementary-data/elementary 0.23.3 + `latest` shipped a ~245 KB obfuscated payload in `elementary.pth`. Clean 0.23.4 published April 25.

  DockerPyPI

  pypi-2026-04-24-elementary-dataSource advisory
• High23 Apr 2026

  1 package tracked

  js-logger-pack npm worm uses Hugging Face datasets as malware CDN + exfil store

  JFrog found 27 malicious versions of `js-logger-pack` (1.1.0-1.1.27) abusing the Hugging Face repo `Lordplay/system-releases` to fetch cross-platform binaries (Windows/macOS x64/macOS ARM64/Linux) and upload stolen data to private datasets. The malware adds keylogging, clipboard capture, browser-session and Telegram Desktop theft, plus an operator command channel.

  npm

  npm-2026-04-23-js-logger-pack-huggingfaceSource advisory
• Critical22 Apr 2026

  1 package tracked

  Xinference PyPI package backdoored on import

  JFrog flagged three consecutive `xinference` releases (2.6.0-2.6.2) on PyPI carrying a TeamPCP-style payload embedded in `xinference/__init__.py` that fires on import. The malware base64-encodes a stage-1 wrapper containing the comment `# hacked by teampcp`, then spawns a detached subprocess that bundles harvested data into `love.tar.gz` and POSTs it with a custom `X-QT-SR: 14` header. TeamPCP publicly denied involvement, claiming a copycat. 600,000+ downloads of malicious wheels.

  PyPI

  pypi-2026-04-22-xinference-teampcpSource advisory
• Critical22 Apr 2026

  3 packages tracked

  Checkmarx KICS Docker images + Open VSX extensions compromised (TeamPCP)

  Docker and Socket jointly disclosed a multi-stage compromise of Checkmarx KICS Docker images and Checkmarx VS Code / Open VSX extensions. Trojanised extensions silently install an MCP addon executed via Bun, while the Docker images include a modified KICS binary that encrypts scan output and exfiltrates it. TeamPCP claimed responsibility.

  DockerOpen VSX

  multi-2026-04-22-checkmarx-kics-vsx-dockerSource advisory
• Critical22 Apr 2026

  1 package tracked

  @bitwarden/cli 2026.4.0 hijacked via Checkmarx GitHub Actions breach

  TeamPCP pushed a malicious `@bitwarden/cli@2026.4.0` to npm between 17:57 and 19:30 ET on April 22, exploiting Bitwarden's use of the breached `checkmarx/ast-github-action`. `bw_setup.js` fetched Bun 1.3.13 from GitHub and ran a payload that targeted SSH, Git, npm, AWS/GCP/Azure, GitHub Actions secrets, and AI/MCP configs (`.claude.json`, `.kiro/settings/mcp.json`), exfiltrating via `audit.checkmarx.cx`. Live ~90 minutes; Bitwarden confirmed no end-user vault data was accessed.

  npm

  npm-2026-04-22-bitwarden-cli-teampcpSource advisory
• Critical21 Apr 2026

  6 packages tracked

  CanisterSprawl: self-propagating npm worm hits pgserve + Namastex packages

  Socket and StepSecurity disclosed CanisterSprawl, a self-propagating npm worm that compromised at least 16 versions across Namastex Labs and related publishers from 21 April 2026. The postinstall hook harvests 38 env vars and filesystem secrets, encrypts via AES-256-CBC + RSA-4096, and exfiltrates to an Internet Computer Protocol canister. Stolen npm tokens are reused to publish further malicious versions. Tradecraft matches the earlier TeamPCP CanisterWorm campaign.

  npm

  npm-2026-04-21-canisterworm-pgserve-namastexSource advisory
• High15 Apr 2026

  36 packages tracked

  36 fake Strapi plugins on npm deploy persistent implants

  Four sock-puppet npm accounts (umarbek1233, kekylf12, tikeqemif26, umar_bektembiev1) uploaded 36 packages over a ~13-hour window impersonating Strapi CMS plugins. Payload evolution moved through 8 variants targeting Redis RCE with cron injection, Docker container escapes, PostgreSQL exploitation on hosts named `prod-strapi`, Python reverse shells on port 4444, and SSH-key backdoors.

  npm

  npm-2026-04-15-strapi-pluginsSource advisory
• High15 Apr 2026

  1 package tracked

  @kindo/selfbot npm package delivers XWorm RAT via 5-stage Astral Warfare chain

  JFrog identified `@kindo/selfbot` (XRAY-964727), a video-game-themed Discord selfbot npm package. A 5-stage chain (JS downloader → 250KB obfuscated batch → PowerShell process injection → XOR-decoded shellcode → XWormClient .NET RAT) installed itself against `explorer.exe` with AMSI/ETW evasion.

  npm

  npm-2026-04-15-kindo-selfbot-xwormSource advisory
• High14 Apr 2026

  5 packages tracked

  5 NuGet packages impersonate Chinese .NET UI libraries with infostealer payload

  NuGet publisher `bmrxntfj` shipped five packages on 14 April 2026 within ~13 seconds, grafting a .NET Reactor-protected infostealer onto decompiled legitimate libraries. Across 219 total versions they accumulated ~65k downloads, targeting browser creds, crypto wallets, and SSH keys on Windows .NET dev hosts.

  NuGet

  nuget-2026-04-14-chinese-ui-impersonatorsSource advisory
• High7 Apr 2026

  14 packages tracked

  DPRK Contagious Interview campaign expands across 5 ecosystems

  Socket disclosed a fresh wave of DPRK Contagious Interview / FAMOUS CHOLLIMA packages spanning npm, PyPI, Go modules, crates.io, and Packagist. They impersonate logging / license developer tooling and act as staged loaders for credential stealers and RATs across Windows, macOS and Linux. The Windows variant deploys a keylogger and AnyDesk for hands-on access.

  crates.ioGonpmPackagistPyPI

  multi-2026-04-07-contagious-interview-5-ecosystemsSource advisory
• Medium5 Apr 2026

  1 package tracked

  hermes-px PyPI "privacy" AI proxy steals prompts via stolen university infra

  JFrog detected `hermes-px`, masquerading as a privacy-preserving AI proxy. It routed requests through Tor to a stolen Tunisian university API and bundled a 246K-character Anthropic Claude system prompt rebranded as "AXIOM-1". It simultaneously exfiltrated all prompts/responses unencrypted to a Supabase endpoint, bypassing Tor and exposing user IPs.

  PyPI

  pypi-2026-04-05-hermes-pxSource advisory
• Critical31 Mar 2026

  4 packages tracked

  Axios npm compromise (North Korea-nexus RAT)

  Lead-maintainer account compromised via social engineering. Two malicious axios releases pulled in plain-crypto-js, whose postinstall fetched a cross-platform RAT from sfrclak[.]com:8000. Microsoft + Google attribute to Sapphire Sleet / UNC1069 (North Korea-nexus). Live for ~3 hours; ~100M weekly downloads in scope.

  npm

  npm-2026-03-axiosSource advisory
• High31 Mar 2026

  1 package tracked

  LofyGang returns with undicy-http typosquat delivering dual-payload RAT

  JFrog tied `undicy-http@2.0.0` (a typosquat of `undici`) to the Brazil-based LofyGang group last seen in 2022. The package pairs a Node.js WebSocket RAT with a native `chromelevator.exe` binary that uses direct syscalls for process hollowing, then injects browser credential stealers targeting 50+ browsers and 90+ wallet extensions.

  npm

  npm-2026-03-31-undicy-lofygangSource advisory
• Critical27 Mar 2026

  1 package tracked

  Telnyx Python SDK hides credential stealer in WAV-file steganography

  TeamPCP published malicious `telnyx` 4.87.1 and 4.87.2 to PyPI on 27 March 2026 (~670k monthly downloads). Trojanised `_client.py` downloads steganographic payloads disguised as `.wav` files over plaintext HTTP, extracts the credential stealer, and persists. Windows variant drops `msbuild.exe` to the Startup folder; Linux variant uses a user-level systemd service. AES-256-CBC + RSA-4096 envelope for exfil.

  PyPI

  pypi-2026-03-27-telnyx-teampcpSource advisory
• Critical24 Mar 2026

  1 package tracked

  LiteLLM PyPI backdoored as TeamPCP cascade reaches Python

  TeamPCP used credentials harvested from the Trivy compromise to publish trojanised `litellm` 1.82.7 and 1.82.8 to PyPI on 24 March 2026 (~10:39 and 10:52 UTC). Malicious wheels drop a `litellm_init.pth` file in site-packages, executing a credential stealer at every Python interpreter start. PyPI quarantined the packages ~40 minutes after publication. Attackers later claimed ~500,000 credentials from this single compromise. LiteLLM averages ~3M daily downloads and ships in ~36% of cloud environments.

  PyPI

  pypi-2026-03-24-litellm-teampcpSource advisory
• High24 Mar 2026

  5 packages tracked

  5 npm typosquats target Solana + Ethereum dev libraries, exfil keys to Telegram

  npm publisher `galedonovan` shipped five typosquats of legitimate crypto libraries. Each transparently intercepts private keys passed through normal API calls (Base58 decoding for Solana, Wallet construction for Ethereum), exfiltrates them to a hardcoded Telegram bot, then returns the expected result so functionality looks normal.

  npm

  npm-2026-03-24-solana-ethereum-typosquatsSource advisory
• High23 Mar 2026

  2 packages tracked

  Checkmarx KICS GitHub Actions trojanised by TeamPCP

  Between 12:58 and 16:50 UTC on 23 March 2026, TeamPCP hijacked 35 tags in the Checkmarx `ast-github-action` and `kics-github-action` repos to push a credential stealer, leveraging tokens stolen from the Trivy compromise. CI/CD pipelines using either Action during the window executed the stealer before the legitimate scan.

  GitHub Actions

  github-actions-2026-03-23-checkmarx-kicsSource advisory
• Critical20 Mar 2026

  29 packages tracked

  CanisterWorm: @emilgroup and @teale.io npm publisher compromise (29+ packages)

  An attacker compromised the @emilgroup and @teale.io npm namespaces, replacing 58 package-versions with a Python backdoor that polls an Internet Computer Protocol (ICP) canister for follow-on payloads. The implant persists via user-level systemd and includes worm-style republishing via deploy.js. Wiz later linked the tradecraft to TeamPCP; Socket declined firm attribution.

  npm

  npm-2026-03-20-canisterworm-emilgroup-tealeSource advisory
• Critical19 Mar 2026

  3 packages tracked

  Trivy GitHub Action + Docker images compromised — start of TeamPCP cascade

  Aqua Security's Trivy scanner was compromised on 19 March 2026 by the threat actor self-identifying as TeamPCP. The attacker force-pushed 76 of 77 tags in `aquasecurity/trivy-action` (only @0.35.0 survived) and all 7 tags in `aquasecurity/setup-trivy` to malicious commits, then published trojanised Trivy binary 0.69.4 + Docker images 0.69.5/0.69.6/latest. A stolen Argon-DevOps-Mgt service-account token seeded the downstream LiteLLM, Telnyx, Bitwarden CLI, and Checkmarx compromises.

  DockerGitHub Actions

  github-actions-2026-03-19-trivy-teampcp-cascadeSource advisory
• High18 Mar 2026

  2 packages tracked

  GlassWorm sleeper extensions activate on Open VSX

  Roughly 40 malicious VS Code extensions surfaced March 14-18, 2026: 20+ new extensions, ~20 previously dormant sleepers activated, plus 11 extensionPack droppers. The campaign hosts VSIX payloads on attacker-controlled GitHub releases to evade registry takedowns. Publishing accounts: `laura6909`, `martina0094`, `chiara585`, `francesca898`.

  Open VSX

  openvsx-2026-03-18-glassworm-sleeperSource advisory
• High13 Mar 2026

  Feed-only · no version-specific detection

  GlassWorm: 72+ Open VSX extensions weaponised via transitive loaders

  Socket linked at least 72 additional malicious Open VSX extensions to the GlassWorm campaign. Newer variants use `extensionPack` / `extensionDependencies` fields to transitively pull GlassWorm loaders rather than embedding malware directly. Obfuscation rotated to RC4 + base64 with keys delivered in HTTP response headers.

  openvsx-2026-03-13-glassworm-transitiveSource advisory
• Medium12 Mar 2026

  6 packages tracked

  6 malicious Packagist OphimCMS themes ship trojanised jQuery and FUNNULL redirects

  Six Composer packages from the `ophimcms` organisation posed as OphimCMS themes containing trojanised jQuery. The payload exfiltrates URLs, injects ads, and redirects mobile traffic via OFAC-sanctioned FUNNULL infrastructure. Combined ~2,750 installs.

  Packagist

  packagist-2026-03-12-ophimcms-themesSource advisory
• Medium28 Feb 2026

  5 packages tracked

  5 malicious Rust crates pose as time utilities to exfiltrate .env files

  Five crates published between late February and early March 2026 posed as local time utilities while exfiltrating .env files via `curl` to a lookalike domain `timeapis.io` (typosquatting `timeapi.io`). All packages were 0.1.0 and yanked within hours. Account aliases: `gehakax777`, `dictorudin`.

  crates.io

  crates-2026-02-28-time-utility-typosquatsSource advisory
• High27 Feb 2026

  26 packages tracked

  StegaBin: 26 npm typosquats use Pastebin steganography to deliver Contagious Interview RAT

  Socket disclosed 26 typosquatted npm packages tied to North Korea's Contagious Interview / FAMOUS CHOLLIMA cluster. The loader decodes steganographically-encoded Pastebin URLs to resolve C2 hosted across 31 Vercel deployments, then retrieves a 9-module infostealer and RAT toolkit.

  npm

  npm-2026-02-27-stegabin-contagious-interviewSource advisory
• Critical20 Feb 2026

  19 packages tracked

  SANDWORM_MODE: 19 npm typosquats with self-spreading worm + AI toolchain poisoning

  Socket disclosed a Shai-Hulud-style self-propagating worm spread across at least 19 typosquatted npm packages from accounts `official334` and `javaorg`. It harvests CI secrets and crypto keys, propagates via stolen npm/GitHub tokens, and injects prompt-injection logic into MCP servers used by AI coding assistants.

  npm

  npm-2026-02-20-sandworm-modeSource advisory
• High17 Feb 2026

  1 package tracked

  cline npm package hijacked via "Clinejection" prompt-injection chain

  An attacker abused an unsanitised AI issue-triage GitHub Actions workflow on the Cline repo to poison the release pipeline cache and steal the npm publish token. They published `cline@2.3.0` with a postinstall script that globally installed the second-stage package `openclaw`. ~90k weekly downloads; live for ~8 hours before Cline rotated the token and shipped 2.4.0.

  npm

  npm-2026-02-17-cline-clinejectionSource advisory
• High11 Feb 2026

  30 packages tracked

  Lazarus "graphalgo" fake-recruiter campaign (npm + PyPI)

  ReversingLabs attributed an ongoing fake-recruiter campaign (active since May 2025, reported Feb 2026) to North Korea's Lazarus Group (overlapping Jade Sleet / UNC4899). Crypto, JavaScript, and Python developers are lured via LinkedIn/Reddit/Facebook into interview "coding tasks" that pull a token-protected RAT loader from npm and PyPI. ~192 malicious packages attributed in total; bigmathutils alone passed 10,000 downloads.

  npmPyPI

  multi-2026-02-11-lazarus-graphalgoSource advisory
• Medium5 Feb 2026

  3 packages tracked

  Polymarket SDK typosquats on crates.io

  Three crates impersonating `polymarket-client-sdk` were published between 5 and 19 February 2026 and exfiltrated local credential files. The malicious crates were yanked and publisher accounts disabled. Combined downloads stayed under 100, but targeting was high-value (Polymarket / Web3 developers).

  crates.io

  crates-2026-02-05-polymarket-typosquatsSource advisory
• Critical27 Jan 2026

  2 packages tracked

  dYdX v4-client npm + PyPI compromise (wallet stealer + RAT)

  Maintainer credentials for the dYdX decentralized exchange were compromised; malicious versions of the official v4 client were pushed to npm and PyPI in a coordinated release. The npm payload exfiltrates wallet seed phrases through a malicious `createRegistry()` function. The PyPI variant additionally drops a Python RAT executed on import.

  npmPyPI

  multi-2026-01-27-dydx-compromiseSource advisory
• High17 Jan 2026

  1 package tracked

  sympy-dev PyPI typosquat delivering XMRig cryptominer

  A PyPI typosquat of SymPy was published by the account "Nanit" across four versions on Jan 17, 2026. It fetches a remote JSON config, downloads an ELF, and executes it from a memfd to evade disk-based detection. The payload is XMRig mining Monero on infected developer workstations.

  PyPI

  pypi-2026-01-17-sympy-dev-minerSource advisory
• Critical15 Sept 2025

  197 packages tracked

  Original Shai-Hulud npm worm

  First successful self-propagating worm in the npm ecosystem. Downstream of the August 2025 s1ngularity/Nx GitHub-token theft. The postinstall hook ran TruffleHog to harvest secrets, opened public GitHub repos named "Shai-Hulud" to publish them, force-converted private repos to public with a "-migration" suffix, and used stolen npm tokens to publish malicious versions of any package the maintainer could access. ~180 unique packages compromised across 300+ versions, including CrowdStrike's own scope (@crowdstrike/*).

  npm

  npm-2025-09-shai-hulud-originalSource advisory

Sources cited per card. We only list package versions named by the original advisory; we don't infer compromises. Missing something? Send it in.